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[57] ABSTRACT 

The invention relates to a process for loading a protected 
storage zone of an information processing device, with 
confidential data and/or programs, and to the associated 
information processing device. 

The information processing device (1) includes a module (8) 
that includes a non-volatile memory having a protected zone 
(11) which is read -write accessible to a processing means (9) 
inside the module, but is at least write-protected from 
outside the module. The process executes a transfer of 
confidential information to the protected zone (11) from an 
analogous protected zone (27) of a portable object (21) with 
a structure similar to that of the module. The portable object 
is received in a portable object reader (6) which is provided 
in the information processing device. 

12 Claims, 2 Drawing Sheets 
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PROCESS FOR LOADING A PROTECTED 
STORAGE ZONE OF AN INFORMATION 
PROCESSING DEVICE, AND ASSOCIATED 
DEVICE 

CROSS-REFERENCE TO RELATED 
APPLICATIONS 

The subject matter of U.S. Pat. No. 4,382,279 and U.S. 
Pat. No. 4,211,919 is hereby incorporated by reference. 

FIELD OF THE INVENTION 

The invention relates to a process for loading an infor- 
mation processing device which comprises information pro- 
cessing means, a memory, means for cooperating with a first 
portable object, and a module that comprises information 
processing means and a nonvolatile memory a protected 
zone which is read/write accessible to the processing means 
but is at least write-protected from outside the module. The 
information processing device is operatively associated with 
a first portable object including information processing 
means and a nonvolatile memory having a protected zone 
which is read/write accessible to the processing means, but 
is at least write-protected from outside the portable object, 
the protected zone of the first portable object containing data 
and or programs. 

BACKGROUND OF THE INVENTION 

The chief concern in loading an information processing 
device of this type is the loading of the module, since by its 
very structure, this module is designed to contain confiden- 
tial data or programs in the protected zone of its memory. 

In a known device of this type, the module itself is a 
portable object which cooperates with the device by means 
of a portable object reader. In this case, the module is loaded 
independently of the device, during an initial phase for 
customizing the module which is carried out at an authorized 
facility. In the secured environment of this facility, loading 
the module does not pose any particular problem. 

On the other hand, loading the protected zone of the 
module without compromising confidential data when the 
module has already been installed in the processing device 
is trickier, particularly when this device itself has previously 
been installed outside the premises of the authorized facility, 
in an unsecured environment. 

SUMMARY OF THE INVENTION 

A first object of the invention is to propose a process for 
loading the protected zone of the module in a secure manner, 
whether or not it is removable, and whether or not the 
environment in which the loading is carried out has been 
secure throughout the life of the processing device. 

To this end, the invention relates to the process described 
at the beginning of the disclosure, characterized in that it 
comprises the steps which consist of making the processing 
device cooperate with the first portable object and of trans- 
ferring the data and/or programs originating from the pro- 
tected zone of the first portable object to the protected zone 
of the module. 

Thus, according to the invention, secure loading of the 
module is obtained by establishing a dialogue between this 
module and an external portable object, which has the same 
secure structure as the module, and by executing a transfer 
of confidential information between their respective pro- 
tected zones, 

A second aspect of the invention relates to a process for 
for providing service provision that requires the intervention 
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of the first portable object and a second portable object, 
which comprises information processing means and a non- 
volatile memory having a protected zone which is readAvrite 
accessible to the processing means, but is at least wrile- 

5 protected from outside the portable object, the protected 
zone containing data and/or programs, the data and/or pro- 
grams contained in the protected zones of the first and 
second portable objects defining their respective access 
rights and required operations as to this service provision. 

10 For example, the functions of authentication of the por- 
table objects, data encryption, or even certification or sig- 
nature of the infonmation in the portable objects require the 
use of secondary portable objects which contain secrets 
correlated to the secrets of the principal portable objects. 

This is particularly the case with payment applications in 
which it is possible to send a random number to both of the 
objects and to compare the results of a calculation which is 
carried out in each object on the basis of a protected key and 
an appropriate cryptographic algorithm. When the two 
results are identical, it may be deduced that the secondary 
portable object has authenticated the principal portable 
object. The process can be carried out in both directions in 
order to obtain a mutual authentication, 

2 J In this case, it is necessary to have two portable electronic 
objects and accordingly, machines or apparatuses which are 
capable of creating an interface between the two objects. 
These apparatuses must therefore include two channels for 
communicating with the two objects and in particular two 
connection systems, which will increase the costs and stor- 
age requirements and reduce the reliability of the equipment. 

A complementary object which the invention seeks to 
attain is to avoid the simultaneous presence of two devices 
for reading the portable objects in the apparatuses. 

35 According to the invention, the processing device is made 
to cooperate with the first portable object in order to transfer 
the data and/or programs originating from the protected zone 
of the first portable object into the protected zone of the 
module; the processing device is then made to cooperate 

40 with the second portable object, and the process proceeds to 
deliver the service using the data and/or programs trans- 
ferred into the module and those contained in the second 
portable object. 

The invention also relates to an information processing 
^5 device designed to implement the above mentioned process. 

BRIEF DESCRIPTION OF THE DRAWING(S) 

Other details and advantages of the invention will appear 
in the following description according to a preferred but 
non-Hmiting form of embodiment with regard to the 
appended documents, in which: 

FIG. 1 represents a diagram of the information processing 
device according to the invention and two portable objects 
55 intended to cooperate with this device in succession; and 

FIG. 2 defines a set of operations relative to a particular 
application of the invention, 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

60 

The information processing device 1 represented in FIG. 
1 includes, in a known manner, a microprocessor 2 to which 
are connected a ROM memory 3, a RAM memory 4, and a 
transmission interface 5 which allows the device to com- 
65 municate with another similar device, either directly or 
through a communication network. It also includes a por- 
table object reader 6, for example Hke thai described in 
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French patents 2 461 301 and 2 401 459 and their corre- on a plate inside the device which supports a set of electronic 

spending U.S. Pat. Nos. 4,382.179 and 4,211,919 respec- components, or even on the same chip as the device. It could 

tively. Reader 6 is connected to the microprocessor 2 by a also be designed as a detachable, added element which could 

transmission line 7. be inserted and removed. For example, it will be carried, 
The device 1 can also be equipped with storage means 5 cipher removably or non-rcmovably. by a mass memory 

such as removable or non-removable diskettes or disks, data ^'i^l ATTi?''^ "^1 V ^" ^^^rdance with the 

entry means (such as a keyboard and/or a mouse-type ^^^^^ (^^f^^?* ^^^^If ' ^f^Z ' ^"t^^"^^^^"^' 

. \. J • V A A^^ c • 1* •* ^ Association) standard, which is plugged into a correspond- 

pomting device), and display means; For simphcity and / c *u - c &e ■ j • i 

^, . ^. ^ . , . , . ing connector of the information processing device 1, the 

clanty of presentation, these various means are not shown in connector being located, for example, between the 

microprocessor 2 and the junction point between the trans- 
Further more, the device 1 includes an electrical module 8, mission lines 7, 13' (the dotted line with the reference 
hereinafter called a transfer module, which includes infor- number 14). 

raation processing means 9 and an associated nonvolatile jhe processing device 1 is intended to cooperate with two 

memory 10. This module is disposed so as to define, in the portable objects 21, 22 as defined above in relation to the 

memory 10, a secret zone 11 in which information, once portable object reader 6. Each of them is equipped with an 

recorded, is inaccessible from outside the module and is electronic module which has the same structure as the 

accessible only to the processing means 9, and an open zone module 8 associated with the processing device 1 and 

12 which is read-write accessible from outside the module. therefore has, respectively information processing means 

Each storage zone can include a non-erasable ROM part and 23, 24, a nonvolatile memory 25, 26 which includes a 

an erasable EPROM or EEPROM part or a part constituted protected zone 27, 28 and an open zone 29, 30 and self- 

by a "flash"-type RAM memory, that is, a part which has the programming means. 

characteristics of a EEPROM memory but with access limes ^ ^^riant, the secret zone of the transfer module 8 

which are identical to those of a standard RAM. A volatile a^d/or of the two portable objects is complemented or 

RAM memory, which is not represented, is also provided. replaced by a zone whose security level is lower than that of 

Among other things, a microprocessor with an autopro- the secret zone. More precisely, this zone is not only 

grammable nonvolatile memory, like that described in the read-write accessible to the processing means of the transfer 

aforenoted U.S. Pat. No. 4,382,279 could be used as the module or portable objects, but is also read-accessible— but 

module 8. As indicated on page 1, lines 5 through 17 of this not write -accessible— from outside the module or the 

patent, the autoprogrammable characteristic of the memory objects. In the present disclosure, "protected zone" desig- 

corresponds to the possibility for a program f,. located in this nates either a secret zone which is inaccessible from the 

memory to modify another program f^ also located in this outside, or a zone which is only read-accessible from the 

memory into a program g^. Although the implementing outside. In a zone which is read-accessible from the outside, 

means for carrying out this autoprogramming could vary it is possible to store, in particular, the public key of a public 

depending on the technology used to design the information key algorithm, or various data or programs. In a secret zone, 

processing means 9, it will be recalled that, in the case in secret keys, in particular, are stored, 

which these processing means are constituted by a micro- process according to the invention involves, first of 

processor associated with a nonvolatile memory according ^ p^asc for customizing the transfer module 8 of the 

to the above-mentioned patent, these means can include: processing device 1 and the two portable objects 21, 22 

buffers for data and addresses, associated with the which is carried out by the authorization facility. By way of 

memory, example, the following procedure could be used. The same 

a write program loaded into the memory which contains, protected key S is disposed in the respective protected zones 

in particular, the instructions which allow the maintenance 11, 27 of the transfer module 8 and the first portable object 

of the memory programming voltage on one hand, and the 21, which will, in particular, allow the portable object to 
maintenance of the data that are to be written and their 45 authenticate the transfer module. Furthermore, a protected 

addresses on the other hand, for a sufficient length of time, mother key K is disposed in the protected zone 27 of the first 

although this write program can nevertheless be replaced by portable object, and a protected key Kd which is diversified 

a write controller with logic circuits. from the key K is disposed in the protected zone 28 of the 

In a variant of the invention, the microprocessor of the second ponable object, these two keys making it possible, in 
module 8 is replaced by logic circuits implanted in a 50 particular, for the first portable object to authenticate the 

semiconductor chip. In fact, circuits of this type are able to second. For example, the diversified key Kd is obtained by 

carry out calculations, particularly authentication and sig- executing a calculation by means of a specific cryptographic 

nature calculations, thanks to hard-wired, non- algorithm which takes into account the mother key K and a 

microprogrammed electronics. The Siemens component diversification parameter which is characteristic of the sec- 
marketed under the name SLE 4436 and the SGS-Thomson 55 ond portable object. If necessary, the protected key S could 

component marketed under the name ST 1335 may be cited also be subject to a diversification procedure, 

as examples. In the protected zones 27, 28 of the two portable objects, 

Preferably, the module 8 is in monolithic form on a single respectively, there are also two programs PI and P2 linked 

chip. It is connected to the microprocessor 2 by a transmis- to the application in question and which define, in particular, 
sion line 13 which connects directly to the microprocessor, 60 l^e rules for allocating one or the other service provision, 

or by a transmission line 13' which connects to the trans- The invention applies to the implementation of a proce- 

mission line 7 of the portable object reader 6, as represented dure linked to the service in question, which requires the 

by a dotted line in FIG. 1. simultaneous presence of both portable objects 21, 22. To 

From a physical standpoint, the module 8 could be this end, at least certain access rights written into the 
associated with the information processing device 1 in 65 portable object 21 will be copied into the transfer module 8. 

various ways. First of all, it could be designed to be In a first step, the portable object 21 is inserted into the 

completely integrated into the device, for example disposed portable object reader 6, and along with the transfer module 
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8 it implements a mutual authentication procedure so as to 
verify that they are both actually authorized to intervene in 
the delivery of the service in question. For example, the 
portable object generates a random number E and sends it to 
the transfer module, which executes a calculation based on 
its protected key S and this random number E and sends a 
result R of the calculation to the portable object 21. This 
object executes the same calculation on its end, based on its 
protected key S and the same random number E, to produce 
a result R', and compares the two results R, R'; if they are 
identical, the portable object considers the transfer module 
to be authenticated. A procedure of this type is described, in 
particular, in French patent 2 601 795 in the name of the 
present Applicant. 

The procedure described above relates to the authentica- 
tion of the transfer module 8 by the portable object 21. In the 
reverse direction, the transfer module 8 could authenticate 
the portable object 21 using an analogous procedure, in 
which case the comparison of the results R, R' would take 
place in the transfer module. 

Once the mutual authentication has been confirmed, the 
transfer module 8 and the portable object 21 can exchange 
either unencrypted information, or information in encrypted 
form using an encryption key Sc; in the latter case, the 
encryption key can be calculated by the transfer module and 
the portable object in a known manner from an algorithm F 
contained in their protected storage zones 11, 27, from their 
common protected key S, and from a random number Ec 
generated by either the module or the object and transmitted 
to the other of these two devices. The encryption of the 
information by one of the devices uses the encryption key Sc 
and an encryption algorithm G, and the other device 
decrypts the information received by means of the same 
parameters or by means of a key and an encryption algo- 
rithm correlated to them. 

In a known manner, the procedure may require the carrier 
of the portable object 21 to authenticate itself by presenting 
a confidential code to this object by means of a keyboard of 
the processing device 1, a code which is compared with a 
reference code contained in the protected storage zone 27 of 
the object. 

A second step of the procedure according to the invention 
consists of transferring all the parameters necessary to the 
delivery of the service in question from the portable object 
21 to the transfer module 8. The protected key K and the 
program PI, in particular, are transferred into the protected 
storage zone 11 of the transfer module 8, and they will allow 
this module, along with the second portable object 22, to 
carry out any operation which requires the use of this key 
and this program. 

It may prove necessary to limit the period during which 
the transfer module 8 will exert the access rights which will 
have been transmitted to it by the first portable object 21. To 
this end, the transfer module 8 will incorporate, in its 
protected zone 11, a program which is disposed so as to 
inhibit its operation when a predetermined limit, transmitted 
by the first portable object 21, has been reached. This may 
involve, in particular, an operating lime which elapses firom 
the moment when the transfer of access rights has occurred, 
or after a number of transactions, the definition of a trans- 
action being predetermined by the system and being able to 
correspond to a specific service provision unit or to a 
session, which is a period that runs from the moment when 
the second portable object 22 is inserted into the processing 
device 1 to the moment when it is removed. At the end of the 
authorized utilization period, the transfer module will be 
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inhibited and will only be able to be restarted by the 
insertion of a portable object which is capable of unlocking 
it, such as the first portable object 21, into the reader 6. 

FIG. 2 illustrates one possible application of the invention 
5 in which a message M, written using the data entry means 
of the processing device 1, must be signed by the first 
portable object 21, and the message M with its signature SG 
must be introduced into the second portable object 22. 

In a first step 31, the first portable object 21 is inserted into 
the portable object reader 6 of the processing device 1. In the 
next step 32, the first portable object 21 authenticates the 
transfer module 8 in the manner described previously. Once 
an authentication has been confirmed, the first portable 
object 21 loads its protected key K and its program PI into 
the protected zone 11 of the transfer module (step 33). Then, 
the first portable object 21 is removed from the processing 
device 1 (step 34) and the second portable object 22 is 
inserted in its place (step 35). 

The authentication of the second portable object 22 by the 
transfer module involves the key K received by the module 
and the key Kd of the portable object. It is executed in the 
manner indicated previously. To this end, the transfer 
module, upon receiving a diversification parameter originat- 
ing from the portable object, will have to recalculate the 
diversified key Kd of the portable object from its mother key 
K. Then, even if the message M is already present in the 
memory of the processing device 1 this message is intro- 
duced into the processing device by the carrier of the first 
portable object 21, for example by the data entry means of 
this device (step 37). The editing of the message M may 
involve the programs PI and P2. 

In the next step 38, the transfer module 8 calculates the 
signature SG of the message M, a signature which insepa- 
rably links the contents of the message with the identity of 
its emitter, which in this case is the protected key K of the 
first portable object 21. In practice, the transfer module 
incorporates into its protected storage zone 11 a signature 
calculating algorithm H which is either there permanently or 
has been transferred by the first portable object 21. The 
algorithm H, which takes into account the message 
M — preferably in a shortened form— and the protected key 
K of the first portable object 21, calculates a result which 
constitutes this signature SG. 
45 In step 39, the message M and its signature SG are 
transferred into the memory 26 of the second portable object 
22. This object is then removed from the processing device 
1 (step 40). 

In conclusion, it appears that the process according to the 

50 invention has therefore made it possible to make the two 
portable objects 21, 22 cooperate with the processing device 
1 in a common procedure, using only the one transmission 
line 7 which connects the portable object reader 6 to the 
microprocessor 2 of the processing device. 

55 It will be noted that the algorithms for producing a 
diversified key Kd or an encryption key Sc for encrypting a 
piece of information and for calculating a signature could be 
constituted by the same algorithm. 
Although symmetrical protected-key algorithms have 

60 been presented above, it would of course be possible to take 
advantage of asymmetrical public-key algorithms, in such a 
way thai at least one of the portable objects or the transfer 
module incorporates a public key instead of a secret key. For 
example, the authorized facility initially disposes a signature 

65 in the second portable object 22 which, thanks to the 
algorithm, is calculated as a function of a datum for iden- 
tifying this object and a secret key, the authentication of this 
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objecl by the transfer module 8 causing the intervention of 
a corresponding public key to verify this signature, this 
public key initially being in the memory of the first portable 
object 21. 

Among the various applications of the invention, it is 5 
possible to cite its application to the health field, in which the 
protected key K defines the access rights of a doctor, and the 
protected key Kd those of a patient, the process according to 
the invention allowing the doctor to introduce into the 
portable object 22 of the patient a message constituted by a id 
prescription with which the signature of the doctor is 
associated, a signature which is verifiable by any facility 
which has the public keys correlated to the secret keys K, 
Kd. 

In the case in which the dialogue with the second portable 15 
object 22 would require the simultaneous involvement of the 
access rights of several first portable objects 21, the neces- 
sary access rights of these various first portable objects 21 
would be successively loaded into the transfer module 8 by 
inserting these objects one by one into the reader 6. Then the 20 
dialogue between the transfer module 8 and the second 
portable object 22 would be established. 

The invention is also applicable in the case in which the 
first portable object 21 communicates with the processing 
device 1 remotely by means of a remote data processing line ^5 
or telephone line connected to the transmission interface, 
rather than locally by means of the portable object reader 6. 
The process according to the invention makes it possible to 
free up this line once the transfer of information between the 
first portable object and the processing device has been 
executed, in order to allocate it to other tasks during which 
the two portable objects 21, 22 will dialogue with one 
another. 

Furthermore, the invention applies not only in the case of 
a dialogue between the portable objects while the processing 
device is off line, but also in the case in which the processing 
device is on line in order to dialogue with a remote device 
which delivers or intervenes in the desired service provision. 

1 claim; 

1. A process for executing in an information processing 
device secure operations which require holding rights held 
by a first portable object, 

the information processing device comprising device pro- 
cessing means and device memory means for perform- 
ing general nonsecure operations, and incorporating a 
security module which comprises module processing 
means and module memory means for performing 
specific secure operations, said module memory means 
being nonvolatile and read-write accessible to said 
module processing means but at least write-protected 
from outside the module, 

said first portable object comprising first object process- 
ing means and first object memory means for perform- 
ing specific secure operations, said first object memory 
means being nonvolatile and re ad -write accessible to 
said first objecl processing means but at least write- 
protected from outside the first portable object, said 
rights being stored in said first object memory means, 

the process comprising the steps of: 

establishing communication between said first portable 
object and said information processing device; 

copying said rights from said first object memory means 
to said module memory means under control of said 
module processing means; 65 

stopping communication between said first portable 
object and said information processing device; 
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using the information processing device in lieu of the first 
portable object within a predetermined limit of use to 
perform said secure operations which require possess- 
ing said rights, by requesting the information process- 
ing device to derive said rights from said security 
module; and 

inhibiting operation of said module under the control of 
said security module processing means when said pre- 
determined limit of use has been reached. 

2. The process as claimed in claim 1, wherein said first 
portable object memory means stores an object key, and said 
module memory stores a first module key conrelated to the 
object key, wherein said step of copying rights from said first 
objecl memory means to said module memory means is 
executed only if a mutual cryptographic procedure based on 
said object key and first module key is successfully per- 
formed. 

3. The process as claimed in claim 1, wherein said first 
object memory means stores an encryption key and an 
encryption algorithm while the module memory means 
stores a decryption key and a decryption algorithm respec- 
tively correlated to said encryption key and encryption 
algorithm, further comprising the steps of: 

encrypting said rights of said first portable object with 

said encryption key and encryption algorithm in the 

first portable object before copying; 
decrypting said rights of first portable object with said 

decryption key and decryption algorithm in the module 

memory means after copying. 

4. A process for executing secure operations between a 
first portable object and a second portable object which 
require holding rights held by the first portable object by 
using an information processing device, the information 
processing device comprising device processing means and 
device memory means for performing general nonsecure 
operations, and incorporating a security module which com- 
prises module processing means and module memory means 
for performing specific secure operations, said module 
memory means being nonvolatile and read-write accessible 
to module processing means but at least write-protected 
from outside the module, 

said first and second portable objects comprising respec- 
tive first and second object processing means and first 
and second object memory means for performing spe- 
cific secure operations, said first and second object 
memory means being nonvolatile and read -write acces- 
sible to finsl and second object processing means 
respectively but at least write-protected from outside 
the first and second portable objects respectively, said 
rights being stored in said first and second objecl 
memory means respectively, 

the process comprising the steps of: 

establishing communication between said first portable 
object and said information processing device; 

copying said rights from said first object memory means 
to said module memory means under the control of said 
module processing means; 

stopping communication between said first portable 
object and said information processing device; 

using the information processing device in lieu of the first 
portable object to perform said secure operations by 
cooperating with said second portable object and by 
requesting the information processing device to derive 
said rights from said module. 

5. The process as claimed in claim 4, wherein said first 
object memory means stores an object key, and said module 
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memory means stores a first module key correlated to the 
object key, wherein said step of copying rights from said first 
object memory means to said module memory means is 
executed only if a mutual cryptographic procedure based on 
said object key and first module key is successfully per- 
formed. 

6. The process as claimed in claim 4, wherein said first 
object memory means store an encryption key and an 
encryption algorithm while the module memory means store 
a decryption key and a decryption algorithm respectively 
correlated to said encryption key and encryption algorithm, 
further comprising the steps of: 

encrypting said rights of said first portable object with 

said encryption key and encryption algorithm in the 

first portable object before copying; 
decrypting said rights of the first portable object with said 

decryption key and decryption algorithm in the module 

after copying. 

7. The process of claim 4, for establishing a dialogue 
between the first and the second portable objects which 
requires the utilization of said rights of said first and said 
second portable objects, wherein, once the second portable 
object is cooperating with the information processing 
device, the module and the second portable object are 
connected using said rights of said first and second portable 
objects. 

8. The process of claim 7, wherein said rights copied firora 
said first portable object to said module comprise a first 
object key, and said rights of said second portable object 
comprise a second object key correlated to the first object 
key, and said dialogue comprises implementing a mutual 
cryptographic procedure based on said two object keys. 

9. An information processing system for performing 
secure operations which require holding rights held by a first 
portable object, said system having an information process- 
ing device, 

the information processing device comprising device pro- 
cessing means and device memory means for perform- 
ing general nonsecure operations, reader means for 
cooperating with a portable object, and incorporating a 
security module which comprises module processing 
means and module memory means for performing 
specific secure operations, said module memory means 
being nonvolatile and read- write accessible to module 
processing means but at least write- protected fi"om 
outside the module, 

said first portable object comprising first object process- 
ing means and first object memory means for perform- 
ing specific secure operations, said first object memory 
means being nonvolatile and read-write accessible to 
first object processing means but at least write- 
protected from outside the first portable object, said 
rights being stored in said first object memory means, 

said device processing means comprising: 

means for triggering and controlling a communication 
between said module and said first portable object 
through said reader means; 
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means for copying said rights from said first object 
memory means to said module memory means under 
the control of said module processing means; 

means for stopping communication between first portable 
object and information processing device; 

means for performing said secure operations within a 
predetermined limit of use which require possessing 
said rights, by deriving said rights from said module in 
10 lieu of the first portable object; and 

means for inhibiting operation of said module under the 
control of said module processing means when said 
predetermined limit of use has been reached. 

10. The device as claimed in claim 9, wherein said device 
15 processing means comprise a program contained in said 

device memory means. 

11. An information processing system for executing 
secure operations between a first portable object and a 
second portable object which require holding rights held by 

20 the first portable object said system having an information 
processing device, the information processing device com- 
prising device processing means and device memory means 
for performing general nonsecure operations, reader means 
for cooperating with a portable object, and incorporating a 
25 security module which comprises module processing means 
and module memory means for performing specific secure 
operations, said module memory means being nonvolatile 
and read-write accessible to module processing means but at 
least write-protected from outside the module, 
3° said first and said second portable objects comprising 
respective first and second object processing means and 
first and second object memory means for performing 
specific secure operations, said first and said second 
object memory means being nonvolatile and read-write 
35 accessible to first and second object processing means, 
respectively, but at least write-protected from outside 
the first and the second portable objects, respectively, 
said rights being stored in said first and said second 
object memory means respectively, 
said device processing means comprising: 
means for triggering and controlling a communication 
between said module and said first portable object 
through said reader means; 
45 means for copying said rights from said first object 
memory means to said module memory means under 
the control of said module processing means; 
means for stopping communication between first portable 
object and information processing device; 
50 means for performing said secure operations, by cooper- 
ating with said second portable object and by deriving 
said rights from said module and said second portable 
object is in lieu of the first portable object. 

12. The device as claimed in claim 11, wherein said 
55 device processing means comprise a program contained in 

said device memory means. 

4t « 4t 4( « 
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